move macros from /etc/rpm to macros.d (#1074277)
- remove unused patches
This commit is contained in:
parent
9f6ae98c27
commit
6228c46ec0
@ -1,45 +0,0 @@
|
|||||||
--- trunk/server/vhost.c 2013/05/11 11:51:28 1481305
|
|
||||||
+++ trunk/server/vhost.c 2013/05/11 12:05:24 1481306
|
|
||||||
@@ -577,14 +577,21 @@
|
|
||||||
*/
|
|
||||||
|
|
||||||
for (s = main_s->next; s; s = s->next) {
|
|
||||||
+ server_addr_rec *sar_prev = NULL;
|
|
||||||
has_default_vhost_addr = 0;
|
|
||||||
for (sar = s->addrs; sar; sar = sar->next) {
|
|
||||||
ipaddr_chain *ic;
|
|
||||||
char inaddr_any[16] = {0}; /* big enough to handle IPv4 or IPv6 */
|
|
||||||
-
|
|
||||||
+ /* XXX: this treats 0.0.0.0 as a "default" server which matches no-exact-match for IPv6 */
|
|
||||||
if (!memcmp(sar->host_addr->ipaddr_ptr, inaddr_any, sar->host_addr->ipaddr_len)) {
|
|
||||||
ic = find_default_server(sar->host_port);
|
|
||||||
- if (!ic || sar->host_port != ic->sar->host_port) {
|
|
||||||
+
|
|
||||||
+ if (ic && sar->host_port == ic->sar->host_port) { /* we're a match for an existing "default server" */
|
|
||||||
+ if (!sar_prev || memcmp(sar_prev->host_addr->ipaddr_ptr, inaddr_any, sar_prev->host_addr->ipaddr_len)) {
|
|
||||||
+ add_name_vhost_config(p, main_s, s, sar, ic);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else {
|
|
||||||
/* No default server, or we found a default server but
|
|
||||||
** exactly one of us is a wildcard port, which means we want
|
|
||||||
** two ip-based vhosts not an NVH with two names
|
|
||||||
@@ -592,6 +599,7 @@
|
|
||||||
ic = new_ipaddr_chain(p, s, sar);
|
|
||||||
ic->next = default_list;
|
|
||||||
default_list = ic;
|
|
||||||
+ add_name_vhost_config(p, main_s, s, sar, ic);
|
|
||||||
}
|
|
||||||
has_default_vhost_addr = 1;
|
|
||||||
}
|
|
||||||
@@ -609,8 +617,9 @@
|
|
||||||
ic->next = *iphash_table_tail[bucket];
|
|
||||||
*iphash_table_tail[bucket] = ic;
|
|
||||||
}
|
|
||||||
+ add_name_vhost_config(p, main_s, s, sar, ic);
|
|
||||||
}
|
|
||||||
- add_name_vhost_config(p, main_s, s, sar, ic);
|
|
||||||
+ sar_prev = sar;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Ok now we want to set up a server_hostname if the user was
|
|
@ -1,248 +0,0 @@
|
|||||||
# ./pullrev.sh 1332643 1345599
|
|
||||||
|
|
||||||
https://bugzilla.redhat.com//show_bug.cgi?id=809599
|
|
||||||
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1332643
|
|
||||||
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1345599
|
|
||||||
|
|
||||||
--- httpd-2.4.4/modules/ssl/mod_ssl.c.r1332643+
|
|
||||||
+++ httpd-2.4.4/modules/ssl/mod_ssl.c
|
|
||||||
@@ -272,6 +272,18 @@ static const command_rec ssl_config_cmds
|
|
||||||
AP_END_CMD
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
|
|
||||||
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
|
|
||||||
+ modssl, AP, int, npn_advertise_protos_hook,
|
|
||||||
+ (conn_rec *connection, apr_array_header_t *protos),
|
|
||||||
+ (connection, protos), OK, DECLINED);
|
|
||||||
+
|
|
||||||
+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
|
|
||||||
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
|
|
||||||
+ modssl, AP, int, npn_proto_negotiated_hook,
|
|
||||||
+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
|
|
||||||
+ (connection, proto_name, proto_name_len), OK, DECLINED);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* the various processing hooks
|
|
||||||
*/
|
|
||||||
--- httpd-2.4.4/modules/ssl/mod_ssl.h.r1332643+
|
|
||||||
+++ httpd-2.4.4/modules/ssl/mod_ssl.h
|
|
||||||
@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
|
|
||||||
|
|
||||||
APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
|
|
||||||
|
|
||||||
+/** The npn_advertise_protos optional hook allows other modules to add entries
|
|
||||||
+ * to the list of protocol names advertised by the server during the Next
|
|
||||||
+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
|
|
||||||
+ * given the connection and an APR array; it should push one or more char*'s
|
|
||||||
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
|
|
||||||
+ * the array and return OK, or do nothing and return DECLINED. */
|
|
||||||
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
|
|
||||||
+ (conn_rec *connection, apr_array_header_t *protos));
|
|
||||||
+
|
|
||||||
+/** The npn_proto_negotiated optional hook allows other modules to discover the
|
|
||||||
+ * name of the protocol that was chosen during the Next Protocol Negotiation
|
|
||||||
+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
|
|
||||||
+ * (in which case modules should probably assume HTTP), or it may be a protocol
|
|
||||||
+ * that was never even advertised by the server. The hook callee is given the
|
|
||||||
+ * connection, a non-null-terminated string containing the protocol name, and
|
|
||||||
+ * the length of the string; it should do something appropriate (i.e. insert or
|
|
||||||
+ * remove filters) and return OK, or do nothing and return DECLINED. */
|
|
||||||
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
|
|
||||||
+ (conn_rec *connection, const char *proto_name,
|
|
||||||
+ apr_size_t proto_name_len));
|
|
||||||
+
|
|
||||||
#endif /* __MOD_SSL_H__ */
|
|
||||||
/** @} */
|
|
||||||
--- httpd-2.4.4/modules/ssl/ssl_engine_init.c.r1332643+
|
|
||||||
+++ httpd-2.4.4/modules/ssl/ssl_engine_init.c
|
|
||||||
@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(serve
|
|
||||||
#endif
|
|
||||||
|
|
||||||
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_TLS_NPN
|
|
||||||
+ SSL_CTX_set_next_protos_advertised_cb(
|
|
||||||
+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
static void ssl_init_ctx_verify(server_rec *s,
|
|
||||||
--- httpd-2.4.4/modules/ssl/ssl_engine_io.c.r1332643+
|
|
||||||
+++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
|
|
||||||
@@ -28,6 +28,7 @@
|
|
||||||
core keeps dumping.''
|
|
||||||
-- Unknown */
|
|
||||||
#include "ssl_private.h"
|
|
||||||
+#include "mod_ssl.h"
|
|
||||||
#include "apr_date.h"
|
|
||||||
|
|
||||||
/* _________________________________________________________________
|
|
||||||
@@ -297,6 +298,7 @@ typedef struct {
|
|
||||||
apr_pool_t *pool;
|
|
||||||
char buffer[AP_IOBUFSIZE];
|
|
||||||
ssl_filter_ctx_t *filter_ctx;
|
|
||||||
+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
|
|
||||||
} bio_filter_in_ctx_t;
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input(
|
|
||||||
APR_BRIGADE_INSERT_TAIL(bb, bucket);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef HAVE_TLS_NPN
|
|
||||||
+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
|
|
||||||
+ * our version of OpenSSL supports it). If we haven't already, find out
|
|
||||||
+ * which protocol was decided upon and inform other modules by calling
|
|
||||||
+ * npn_proto_negotiated_hook. */
|
|
||||||
+ if (!inctx->npn_finished) {
|
|
||||||
+ const unsigned char *next_proto = NULL;
|
|
||||||
+ unsigned next_proto_len = 0;
|
|
||||||
+
|
|
||||||
+ SSL_get0_next_proto_negotiated(
|
|
||||||
+ inctx->ssl, &next_proto, &next_proto_len);
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
|
|
||||||
+ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
|
|
||||||
+ next_proto_len, (const char*)next_proto);
|
|
||||||
+ modssl_run_npn_proto_negotiated_hook(
|
|
||||||
+ f->c, (const char*)next_proto, next_proto_len);
|
|
||||||
+ inctx->npn_finished = 1;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return APR_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_
|
|
||||||
inctx->block = APR_BLOCK_READ;
|
|
||||||
inctx->pool = c->pool;
|
|
||||||
inctx->filter_ctx = filter_ctx;
|
|
||||||
+ inctx->npn_finished = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* The request_rec pointer is passed in here only to ensure that the
|
|
||||||
--- httpd-2.4.4/modules/ssl/ssl_engine_kernel.c.r1332643+
|
|
||||||
+++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
|
|
||||||
@@ -29,6 +29,7 @@
|
|
||||||
time I was too famous.''
|
|
||||||
-- Unknown */
|
|
||||||
#include "ssl_private.h"
|
|
||||||
+#include "mod_ssl.h"
|
|
||||||
#include "util_md5.h"
|
|
||||||
|
|
||||||
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
|
|
||||||
@@ -2161,6 +2162,90 @@ int ssl_callback_SessionTicket(SSL *ssl,
|
|
||||||
}
|
|
||||||
#endif /* HAVE_TLS_SESSION_TICKETS */
|
|
||||||
|
|
||||||
+#ifdef HAVE_TLS_NPN
|
|
||||||
+/*
|
|
||||||
+ * This callback function is executed when SSL needs to decide what protocols
|
|
||||||
+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
|
|
||||||
+ * string in wire format -- a sequence of length-prefixed strings -- indicating
|
|
||||||
+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
|
|
||||||
+ * in OpenSSL for reference.
|
|
||||||
+ */
|
|
||||||
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
|
|
||||||
+ unsigned int *size_out, void *arg)
|
|
||||||
+{
|
|
||||||
+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
|
|
||||||
+ apr_array_header_t *protos;
|
|
||||||
+ int num_protos;
|
|
||||||
+ unsigned int size;
|
|
||||||
+ int i;
|
|
||||||
+ unsigned char *data;
|
|
||||||
+ unsigned char *start;
|
|
||||||
+
|
|
||||||
+ *data_out = NULL;
|
|
||||||
+ *size_out = 0;
|
|
||||||
+
|
|
||||||
+ /* If the connection object is not available, then there's nothing for us
|
|
||||||
+ * to do. */
|
|
||||||
+ if (c == NULL) {
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
|
|
||||||
+ * add alternate protocol names to advertise. */
|
|
||||||
+ protos = apr_array_make(c->pool, 0, sizeof(char*));
|
|
||||||
+ modssl_run_npn_advertise_protos_hook(c, protos);
|
|
||||||
+ num_protos = protos->nelts;
|
|
||||||
+
|
|
||||||
+ /* We now have a list of null-terminated strings; we need to concatenate
|
|
||||||
+ * them together into a single string, where each protocol name is prefixed
|
|
||||||
+ * by its length. First, calculate how long that string will be. */
|
|
||||||
+ size = 0;
|
|
||||||
+ for (i = 0; i < num_protos; ++i) {
|
|
||||||
+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
|
|
||||||
+ unsigned int length = strlen(string);
|
|
||||||
+ /* If the protocol name is too long (the length must fit in one byte),
|
|
||||||
+ * then log an error and skip it. */
|
|
||||||
+ if (length > 255) {
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
|
|
||||||
+ "SSL NPN protocol name too long (length=%u): %s",
|
|
||||||
+ length, string);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ /* Leave room for the length prefix (one byte) plus the protocol name
|
|
||||||
+ * itself. */
|
|
||||||
+ size += 1 + length;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* If there is nothing to advertise (either because no modules added
|
|
||||||
+ * anything to the protos array, or because all strings added to the array
|
|
||||||
+ * were skipped), then we're done. */
|
|
||||||
+ if (size == 0) {
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Now we can build the string. Copy each protocol name string into the
|
|
||||||
+ * larger string, prefixed by its length. */
|
|
||||||
+ data = apr_palloc(c->pool, size * sizeof(unsigned char));
|
|
||||||
+ start = data;
|
|
||||||
+ for (i = 0; i < num_protos; ++i) {
|
|
||||||
+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
|
|
||||||
+ apr_size_t length = strlen(string);
|
|
||||||
+ if (length > 255)
|
|
||||||
+ continue;
|
|
||||||
+ *start = (unsigned char)length;
|
|
||||||
+ ++start;
|
|
||||||
+ memcpy(start, string, length * sizeof(unsigned char));
|
|
||||||
+ start += length;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Success. */
|
|
||||||
+ *data_out = data;
|
|
||||||
+ *size_out = size;
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#endif /* HAVE_TLS_NPN */
|
|
||||||
+
|
|
||||||
#ifndef OPENSSL_NO_SRP
|
|
||||||
|
|
||||||
int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
|
|
||||||
--- httpd-2.4.4/modules/ssl/ssl_private.h.r1332643+
|
|
||||||
+++ httpd-2.4.4/modules/ssl/ssl_private.h
|
|
||||||
@@ -139,6 +139,11 @@
|
|
||||||
#define HAVE_FIPS
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
|
|
||||||
+ && !defined(OPENSSL_NO_TLSEXT)
|
|
||||||
+#define HAVE_TLS_NPN
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
|
|
||||||
#define MODSSL_SSL_CIPHER_CONST const
|
|
||||||
#define MODSSL_SSL_METHOD_CONST const
|
|
||||||
@@ -840,6 +845,7 @@ int ssl_callback_ServerNameIndi
|
|
||||||
int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
|
|
||||||
EVP_CIPHER_CTX *, HMAC_CTX *, int);
|
|
||||||
#endif
|
|
||||||
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
|
|
||||||
|
|
||||||
/** Session Cache Support */
|
|
||||||
void ssl_scache_init(server_rec *, apr_pool_t *);
|
|
@ -1,15 +0,0 @@
|
|||||||
# ./pullrev.sh 1534321
|
|
||||||
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1534321
|
|
||||||
|
|
||||||
--- httpd-2.4.6/modules/proxy/mod_proxy_http.c
|
|
||||||
+++ httpd-2.4.6/modules/proxy/mod_proxy_http.c
|
|
||||||
@@ -710,7 +710,7 @@
|
|
||||||
force10 = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- header_brigade = apr_brigade_create(p, origin->bucket_alloc);
|
|
||||||
+ header_brigade = apr_brigade_create(p, bucket_alloc);
|
|
||||||
rv = ap_proxy_create_hdrbrgd(p, header_brigade, r, p_conn,
|
|
||||||
worker, conf, uri, url, server_portstr,
|
|
||||||
&old_cl_val, &old_te_val);
|
|
@ -1,75 +0,0 @@
|
|||||||
--- httpd-2.4.7/modules/ssl/ssl_engine_config.c.sninotreq
|
|
||||||
+++ httpd-2.4.7/modules/ssl/ssl_engine_config.c
|
|
||||||
@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_creat
|
|
||||||
mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
|
|
||||||
mc->pPool = pool;
|
|
||||||
mc->bFixed = FALSE;
|
|
||||||
+ mc->sni_required = FALSE;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* initialize per-module configuration
|
|
||||||
--- httpd-2.4.7/modules/ssl/ssl_engine_init.c.sninotreq
|
|
||||||
+++ httpd-2.4.7/modules/ssl/ssl_engine_init.c
|
|
||||||
@@ -234,7 +234,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p
|
|
||||||
/*
|
|
||||||
* Configuration consistency checks
|
|
||||||
*/
|
|
||||||
- ssl_init_CheckServers(base_server, ptemp);
|
|
||||||
+ ssl_init_CheckServers(mc, base_server, ptemp);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Announce mod_ssl and SSL library in HTTP Server field
|
|
||||||
@@ -1327,7 +1327,7 @@ void ssl_init_ConfigureServer(server_rec
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
|
|
||||||
+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
|
|
||||||
{
|
|
||||||
server_rec *s, *ps;
|
|
||||||
SSLSrvConfigRec *sc;
|
|
||||||
@@ -1409,6 +1409,7 @@ void ssl_init_CheckServers(server_rec *b
|
|
||||||
}
|
|
||||||
|
|
||||||
if (conflict) {
|
|
||||||
+ mc->sni_required = TRUE;
|
|
||||||
#ifndef HAVE_TLSEXT
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
|
|
||||||
"Init: You should not use name-based "
|
|
||||||
--- httpd-2.4.7/modules/ssl/ssl_engine_kernel.c.sninotreq
|
|
||||||
+++ httpd-2.4.7/modules/ssl/ssl_engine_kernel.c
|
|
||||||
@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
|
|
||||||
}
|
|
||||||
#ifdef HAVE_TLSEXT
|
|
||||||
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
|
|
||||||
+ if (myModConfig(r->server)->sni_required) {
|
|
||||||
char *host, *scope_id;
|
|
||||||
apr_port_t port;
|
|
||||||
apr_status_t rv;
|
|
||||||
@@ -205,6 +206,7 @@ int ssl_hook_ReadReq(request_rec *r)
|
|
||||||
" virtual host");
|
|
||||||
return HTTP_FORBIDDEN;
|
|
||||||
}
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
SSL_set_app_data2(ssl, r);
|
|
||||||
|
|
||||||
--- httpd-2.4.7/modules/ssl/ssl_private.h.sninotreq
|
|
||||||
+++ httpd-2.4.7/modules/ssl/ssl_private.h
|
|
||||||
@@ -533,6 +533,7 @@ typedef struct {
|
|
||||||
struct {
|
|
||||||
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
|
|
||||||
} rCtx;
|
|
||||||
+ BOOL sni_required;
|
|
||||||
} SSLModConfigRec;
|
|
||||||
|
|
||||||
/** Structure representing configured filenames for certs and keys for
|
|
||||||
@@ -778,7 +779,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c
|
|
||||||
int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
|
|
||||||
void ssl_init_Engine(server_rec *, apr_pool_t *);
|
|
||||||
void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
|
|
||||||
-void ssl_init_CheckServers(server_rec *, apr_pool_t *);
|
|
||||||
+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
|
|
||||||
STACK_OF(X509_NAME)
|
|
||||||
*ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
|
|
||||||
void ssl_init_Child(apr_pool_t *, server_rec *);
|
|
@ -1,83 +0,0 @@
|
|||||||
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
|
|
||||||
index 19ba733..28caefd 100644
|
|
||||||
--- a/modules/ssl/ssl_engine_config.c
|
|
||||||
+++ b/modules/ssl/ssl_engine_config.c
|
|
||||||
@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
|
|
||||||
mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
|
|
||||||
mc->pPool = pool;
|
|
||||||
mc->bFixed = FALSE;
|
|
||||||
+ mc->sni_required = FALSE;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* initialize per-module configuration
|
|
||||||
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
|
|
||||||
index b1741b8..8e0c4bc 100644
|
|
||||||
--- a/modules/ssl/ssl_engine_init.c
|
|
||||||
+++ b/modules/ssl/ssl_engine_init.c
|
|
||||||
@@ -244,7 +244,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
|
|
||||||
/*
|
|
||||||
* Configuration consistency checks
|
|
||||||
*/
|
|
||||||
- if ((rv = ssl_init_CheckServers(base_server, ptemp)) != APR_SUCCESS) {
|
|
||||||
+ if ((rv = ssl_init_CheckServers(mc, base_server, ptemp)) != APR_SUCCESS) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1398,7 +1398,7 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,
|
|
||||||
return APR_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
-apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
|
|
||||||
+apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
|
|
||||||
{
|
|
||||||
server_rec *s, *ps;
|
|
||||||
SSLSrvConfigRec *sc;
|
|
||||||
@@ -1480,6 +1480,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (conflict) {
|
|
||||||
+ mc->sni_required = TRUE;
|
|
||||||
#ifndef HAVE_TLSEXT
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
|
|
||||||
"Init: You should not use name-based "
|
|
||||||
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
|
|
||||||
index c60f0a6..232be86 100644
|
|
||||||
--- a/modules/ssl/ssl_engine_kernel.c
|
|
||||||
+++ b/modules/ssl/ssl_engine_kernel.c
|
|
||||||
@@ -165,6 +165,7 @@ int ssl_hook_ReadReq(request_rec *r)
|
|
||||||
#ifdef HAVE_TLSEXT
|
|
||||||
if (r->proxyreq != PROXYREQ_PROXY) {
|
|
||||||
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
|
|
||||||
+ if (myModConfig(r->server)->sni_required) {
|
|
||||||
char *host, *scope_id;
|
|
||||||
apr_port_t port;
|
|
||||||
apr_status_t rv;
|
|
||||||
@@ -216,6 +217,7 @@ int ssl_hook_ReadReq(request_rec *r)
|
|
||||||
return HTTP_FORBIDDEN;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
SSL_set_app_data2(ssl, r);
|
|
||||||
|
|
||||||
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
|
|
||||||
index 516d7e6..624bf7a 100644
|
|
||||||
--- a/modules/ssl/ssl_private.h
|
|
||||||
+++ b/modules/ssl/ssl_private.h
|
|
||||||
@@ -489,6 +489,7 @@ typedef struct {
|
|
||||||
ap_socache_instance_t *stapling_cache_context;
|
|
||||||
apr_global_mutex_t *stapling_mutex;
|
|
||||||
#endif
|
|
||||||
+ BOOL sni_required;
|
|
||||||
} SSLModConfigRec;
|
|
||||||
|
|
||||||
/** Structure representing configured filenames for certs and keys for
|
|
||||||
@@ -738,7 +739,7 @@ apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_re
|
|
||||||
apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
|
|
||||||
apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
|
|
||||||
apr_array_header_t *);
|
|
||||||
-apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
|
|
||||||
+apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
|
|
||||||
STACK_OF(X509_NAME)
|
|
||||||
*ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
|
|
||||||
void ssl_init_Child(apr_pool_t *, server_rec *);
|
|
14
httpd.spec
14
httpd.spec
@ -14,7 +14,7 @@
|
|||||||
Summary: Apache HTTP Server
|
Summary: Apache HTTP Server
|
||||||
Name: httpd
|
Name: httpd
|
||||||
Version: 2.4.9
|
Version: 2.4.9
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
URL: http://httpd.apache.org/
|
URL: http://httpd.apache.org/
|
||||||
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||||
Source1: index.html
|
Source1: index.html
|
||||||
@ -63,7 +63,6 @@ Patch30: httpd-2.4.4-cachehardmax.patch
|
|||||||
Patch31: httpd-2.4.6-sslmultiproxy.patch
|
Patch31: httpd-2.4.6-sslmultiproxy.patch
|
||||||
Patch32: httpd-2.4.7-r1537535.patch
|
Patch32: httpd-2.4.7-r1537535.patch
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
Patch51: httpd-2.4.9-sslsninotreq.patch
|
|
||||||
Patch55: httpd-2.4.4-malformed-host.patch
|
Patch55: httpd-2.4.4-malformed-host.patch
|
||||||
Patch56: httpd-2.4.4-mod_unique_id.patch
|
Patch56: httpd-2.4.4-mod_unique_id.patch
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
@ -189,7 +188,6 @@ interface for storing and accessing per-user session data.
|
|||||||
%patch31 -p1 -b .sslmultiproxy
|
%patch31 -p1 -b .sslmultiproxy
|
||||||
%patch32 -p1 -b .r1537535
|
%patch32 -p1 -b .r1537535
|
||||||
|
|
||||||
%patch51 -p1 -b .sslsninotreq
|
|
||||||
%patch55 -p1 -b .malformedhost
|
%patch55 -p1 -b .malformedhost
|
||||||
%patch56 -p1 -b .uniqueid
|
%patch56 -p1 -b .uniqueid
|
||||||
|
|
||||||
@ -335,8 +333,8 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/httpd \
|
|||||||
|
|
||||||
# Make the MMN accessible to module packages
|
# Make the MMN accessible to module packages
|
||||||
echo %{mmnisa} > $RPM_BUILD_ROOT%{_includedir}/httpd/.mmn
|
echo %{mmnisa} > $RPM_BUILD_ROOT%{_includedir}/httpd/.mmn
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rpm
|
mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/macros.d
|
||||||
cat > $RPM_BUILD_ROOT%{_sysconfdir}/rpm/macros.httpd <<EOF
|
cat > $RPM_BUILD_ROOT%{_rpmconfigdir}/macros.d/macros.httpd <<EOF
|
||||||
%%_httpd_mmn %{mmnisa}
|
%%_httpd_mmn %{mmnisa}
|
||||||
%%_httpd_apxs %%{_bindir}/apxs
|
%%_httpd_apxs %%{_bindir}/apxs
|
||||||
%%_httpd_modconfdir %%{_sysconfdir}/httpd/conf.modules.d
|
%%_httpd_modconfdir %%{_sysconfdir}/httpd/conf.modules.d
|
||||||
@ -621,9 +619,13 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%dir %{_libdir}/httpd/build
|
%dir %{_libdir}/httpd/build
|
||||||
%{_libdir}/httpd/build/*.mk
|
%{_libdir}/httpd/build/*.mk
|
||||||
%{_libdir}/httpd/build/*.sh
|
%{_libdir}/httpd/build/*.sh
|
||||||
%{_sysconfdir}/rpm/macros.httpd
|
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 27 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.9-2
|
||||||
|
- move macros from /etc/rpm to macros.d (#1074277)
|
||||||
|
- remove unused patches
|
||||||
|
|
||||||
* Mon Mar 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.9-1
|
* Mon Mar 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.9-1
|
||||||
- update to 2.4.9
|
- update to 2.4.9
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user